A quick rundown of our environment first...
I work at the corporate office of a medium sized international corporation. We have roughly 50 remote offices that all have permanent VPN tunnels to corporate... a big star if you will. 15 of those offices have a domain controller and their workstations are members of the corporate 2003 domain and so we have 16 sites total. The others either have workgroups or have their own untrusted domain. Typically remote offices CANNOT route to one another but can only get to the corporate 'hub'.
The Problem: One of these offices that has their own domain (untrusted) needs to access corporate resources which require authentication to the corporate domain. They have a secondary DNS zone for the corporate domain so they can ping corporate resources by name. The problem is that in my experience when you ping a fully qualified domain name you can get a response from any DC in your site. If you are like this remote office and outside the domain and therefor not in a site... you can get a response from ANY domain controller in the entire forest. Well they only have network access to those DCs located at the corporate office but often when they try to ping or authenticate to our domain, they are asking domain controllers at other remote offices and therefor get no response. Is it possible to force a remote office when pinging or authenticating to the corporate domain to ONLY ask domain controllers in the corporate site? Or even just one specific domain controller at corporate?
I imagine if this could be done it would have to be done in DNS but I cannot figure out how it is possible.
Thanks in advance for any help!!